def test_new_interface_becomes_visible(): """ Title: Test new interface becomes visible Scenario: When: On start up, a Midolman sees no interface, Then: adds a new interface, And: Midolman detects a new interface. """ midonet_api = get_midonet_api() new_interface = get_interface(midonet_api, '00000000-0000-0000-0000-000000000001', 'interface_01') # Test that no interface with name 'interface_01' exists. assert_that(new_interface, none(), 'interface interface_01') # Create a new interface 'interface_01'. PTM.build() time.sleep(5) new_interface = get_interface(midonet_api, '00000000-0000-0000-0000-000000000001', 'interface_01') # Test that the created interface is visible. assert_that(new_interface, not_none(), 'interface interface_01.')
def bind(self, filename=None, data=None): self._data = self._get_data(filename, data) # Get a new api ref to workaround previous zk failures self._api = get_midonet_api() bindings = self._data['bindings'] for b in bindings: binding = b['binding'] host_id = binding['host_id'] iface_id = binding['interface_id'] device_name = binding['device_name'] port_id = binding['port_id'] self._port_if_map[(device_name, port_id)] = (host_id, iface_id) device_port = self._vtm.get_device_port(device_name, port_id) mn_vport = device_port._mn_resource if mn_vport.get_type() == 'InteriorRouter' or \ mn_vport.get_type() == 'InteriorBridge': LOG.error("Cannot bind interior port") sys.exit(-1) # TODO: make this fancier mn_vport_id = mn_vport.get_id() iface = self._ptm.get_interface(host_id, iface_id) iface.clear_arp(sync=True) iface_name = iface.interface['ifname'] mn_host_id = iface.host['mn_host_id'] iface.vport_id = mn_vport_id self._api.get_host(mn_host_id).add_host_interface_port()\ .port_id(mn_vport_id)\ .interface_name(iface_name).create() await_port_active(mn_vport_id)
def test_new_interface_becomes_visible(): """ mdts.tests.functional_tests.test_midolman_and_interfaces.test_new_interface_becomes_visible Scenario: When: On start up, a Midolman sees no interface, Then: adds a new interface, And: Midolman detects a new interface. """ # FIXME: pick the midonet-agent from binding manager (when parallel) midonet_api = get_midonet_api() agent = service.get_container_by_hostname('midolman1') iface_name = 'interface%d' % random.randint(1, 100) new_interface = get_interface(midonet_api, agent.get_midonet_host_id(), iface_name) # Test that no interface with name 'interface_01' exists. assert_that(new_interface, none(), iface_name) # Create a new interface 'interface_01'. iface = agent.create_vmguest(ifname=iface_name) time.sleep(5) new_interface = get_interface(midonet_api, agent.get_midonet_host_id(), iface_name) # Test that the created interface is visible. assert_that(new_interface, not_none(), iface_name) agent.destroy_vmguest(iface)
def test_new_interface_becomes_visible(): """ mdts.tests.functional_tests.test_midolman_and_interfaces.test_new_interface_becomes_visible Scenario: When: On start up, a Midolman sees no interface, Then: adds a new interface, And: Midolman detects a new interface. """ # FIXME: pick the midonet-agent from binding manager (when parallel) midonet_api = get_midonet_api() agent = service.get_container_by_hostname('midolman1') iface_name = 'interface%d' % random.randint(1, 100) new_interface = get_interface( midonet_api, agent.get_midonet_host_id(), iface_name) # Test that no interface with name 'interface_01' exists. assert_that(new_interface, none(), iface_name) # Create a new interface 'interface_01'. iface = agent.create_vmguest(ifname=iface_name) time.sleep(5) new_interface = get_interface( midonet_api, agent.get_midonet_host_id(), iface_name) # Test that the created interface is visible. assert_that(new_interface, not_none(), iface_name) agent.destroy_vmguest(iface)
def bind(self, filename=None, data=None): # Build a new virtual topology at every binding, destroy at the end self._ptm.build() self._vtm.build() self._data = self._get_data(filename, data) # Get a new api ref to workaround previous zk failures self._api = get_midonet_api() bindings = self._data['bindings'] for b in bindings: binding = b['binding'] host_id = binding['host_id'] iface_id = binding['interface_id'] device_name = binding['device_name'] port_id = binding['port_id'] self._port_if_map[(device_name, port_id)] = \ (host_id, iface_id) device_port = self._vtm.get_device_port(device_name, port_id) mn_vport = device_port._mn_resource if mn_vport.get_type() == 'InteriorRouter' or \ mn_vport.get_type() == 'InteriorBridge': LOG.error("Cannot bind interior port") sys.exit(-1) # TODO: make this fancier mn_vport_id = mn_vport.get_id() host = service.get_container('midolman', host_id) # Clean up yamls or remove them completely, this is so ugly _host = filter( lambda x: x['host']['id'] == host_id, self._ptm._hosts)[0]['host'] _interface = filter( lambda x: x['interface']['id'] == iface_id, _host['interfaces'] )[0]['interface'] # Remove kwargs we are not interested in _interface_vm = dict(_interface) del _interface_vm['ipv6_addr'] del _interface_vm['type'] del _interface_vm['id'] iface = host.create_vmguest(**_interface_vm) self._port_if_map[(device_name, port_id)] = iface iface.vport_id = mn_vport_id self._vms.append(iface) iface.clear_arp(sync=True) iface_name = iface.get_host_ifname() #iface.interface['ifname'] mn_host_id = host.get_midonet_host_id() #iface.host['mn_host_id'] iface.vport_id = mn_vport_id host.bind_port(iface, mn_vport_id) await_port_active(mn_vport_id)
def __init__(self, filename=None, data=None, midonet_api=None): super(TopologyManager, self).__init__() # deprecate self._data = self._get_data(filename, data) self._midonet_api_host = service.get_container_by_hostname('cluster1') # New model self._midonet_api = utils.get_midonet_api() self._cleanups = callmany.CallMany() self._resources = {}
def reboot_agents(sleep_secs): midonet_api = get_midonet_api() stop_midolman_agents() time.sleep(5) check_all_midolman_hosts(midonet_api, alive=False) time.sleep(sleep_secs) start_midolman_agents() time.sleep(30) check_all_midolman_hosts(midonet_api, alive=True)
def setup(): # disable ipv6 to avoid mac learning with automatically sent # ipv6 packets e.g. autoconf upon "ip link set up" subprocess.call( ['sysctl -w net.ipv6.conf.default.disable_ipv6=1 >/dev/null'], shell=True) midonet_api = get_midonet_api() check_all_midolman_hosts(midonet_api, True) clear_physical_topology() clear_virtual_topology_for_tenants( tenant_name_prefix=TEST_TENANT_NAME_PREFIX)
def test_host_status(): """ Title: Test host status update Scenario: When: The test starts up, Then: check if all Midolman agents are alive, Then: stops all Midolman agents, Then: check if all Midolman agents are now dead, Then: restarts all Midolman agetns, And: check again if all Midolman agents are alive, """ midonet_api = get_midonet_api() check_all_midolman_hosts(midonet_api, alive=True) stop_midolman_agents() time.sleep(5) check_all_midolman_hosts(midonet_api, alive=False) start_midolman_agents() time.sleep(30) check_all_midolman_hosts(midonet_api, alive=True)
def test_new_interface_becomes_visible(): """ Title: Test new interface becomes visible Scenario: When: On start up, a Midolman sees no interface, Then: adds a new interface, And: Midolman detects a new interface. """ midonet_api = get_midonet_api() new_interface = get_interface( midonet_api, '00000000-0000-0000-0000-000000000001', 'interface_01') # Test that no interface with name 'interface_01' exists. assert_that(new_interface, none(), 'interface interface_01') # Create a new interface 'interface_01'. PTM.build() time.sleep(5) new_interface = get_interface( midonet_api, '00000000-0000-0000-0000-000000000001', 'interface_01') # Test that the created interface is visible. assert_that(new_interface, not_none(), 'interface interface_01.')
def bind(self, filename=None): self._ptm.build() self._vtm.build() # Get a new api ref to workaround previous zk failures self._api = get_midonet_api() bindings = self._data['bindings'] for b in bindings: binding = b['binding'] host_id = binding['host_id'] iface_id = binding['interface_id'] device_name = binding['device_name'] port_id = binding['port_id'] device_port = self._vtm.get_device_port(device_name, port_id) mn_vport = device_port._mn_resource if mn_vport.get_type() == 'InteriorRouter' or \ mn_vport.get_type() == 'InteriorBridge': LOG.error("Cannot bind interior port") sys.exit(-1) # TODO: make this fancier # FIXME: some hosts are specified by midonet host_id while others # are referenced by hostname. Need a coherent mechanism # Cleanup everything not related to bindings from here if 'host_id' in binding: host_id = binding['host_id'] # FIXME: # Clean up yamls or remove them completely, this is so ugly _host = filter(lambda x: x['host']['id'] == host_id, self._ptm._hosts)[0]['host'] elif 'hostname' in binding: hostname = binding['hostname'] _host = filter(lambda x: x['host']['hostname'] == hostname, self._ptm._hosts)[0]['host'] else: raise RuntimeError("Hosts in the binding should have a" "host_id or a hostname property") _interface = filter(lambda x: x['interface']['id'] == iface_id, _host['interfaces'])[0]['interface'] mn_vport_id = mn_vport.get_id() host = service.get_container_by_hostname('midolman%s' % host_id) if _interface['type'] == 'netns': iface = host.create_vmguest(**_interface) elif _interface['type'] == 'trunk': iface = host.create_trunk(**_interface) else: # provided iface = host.create_provided(**_interface) self._port_if_map[(device_name, port_id)] = iface iface.vport_id = mn_vport_id self._interfaces.append((iface, host)) iface.clear_arp(sync=True) iface.vport_id = mn_vport_id host.bind_port(iface, mn_vport_id) await_port_active(mn_vport_id)
def bind(self, filename=None): self._ptm.build() self._vtm.build() # Get a new api ref to workaround previous zk failures self._api = get_midonet_api() bindings = self._data['bindings'] for b in bindings: binding = b['binding'] host_id = binding['host_id'] iface_id = binding['interface_id'] device_name = binding['device_name'] port_id = binding['port_id'] device_port = self._vtm.get_device_port(device_name, port_id) mn_vport = device_port._mn_resource if mn_vport.get_type() == 'InteriorRouter' or \ mn_vport.get_type() == 'InteriorBridge': LOG.error("Cannot bind interior port") sys.exit(-1) # TODO: make this fancier # FIXME: some hosts are specified by midonet host_id while others # are referenced by hostname. Need a coherent mechanism # Cleanup everything not related to bindings from here if 'host_id' in binding: host_id = binding['host_id'] # FIXME: # Clean up yamls or remove them completely, this is so ugly _host = filter( lambda x: x['host']['id'] == host_id, self._ptm._hosts)[0]['host'] elif 'hostname' in binding: hostname = binding['hostname'] _host = filter( lambda x: x['host']['hostname'] == hostname, self._ptm._hosts)[0]['host'] else: raise RuntimeError("Hosts in the binding should have a" "host_id or a hostname property") _interface = filter( lambda x: x['interface']['id'] == iface_id, _host['interfaces'] )[0]['interface'] mn_vport_id = mn_vport.get_id() host = service.get_container_by_hostname('midolman%s' % host_id) if _interface['type'] == 'netns': iface = host.create_vmguest(**_interface) elif _interface['type'] == 'trunk': iface = host.create_trunk(**_interface) else: # provided iface = host.create_provided(**_interface) self._port_if_map[(device_name, port_id)] = iface iface.vport_id = mn_vport_id self._interfaces.append((iface, host)) iface.clear_arp(sync=True) iface.vport_id = mn_vport_id host.bind_port(iface, mn_vport_id) await_port_active(mn_vport_id)
def test_l2insertion_both_ends_protected(): """ Title: Test insertions with both ends protected 2 L2 insertions on 2 ports, each insertion with a different bad pattern. The bad packets matching the different patterns should be blocked at different insertions depending on the direction of the packet. Verify that packets are blocked in the same order regardless of the direction. """ api = get_midonet_api() service_port1 = BM.get_iface_for_port('bridge-000-001', 2) service_port2 = BM.get_iface_for_port('bridge-000-001', 3) fakesnort1 = FakeSnort(service_port1, "deadbeef") fakesnort2 = FakeSnort(service_port2, "cafef00d") try: fakesnort1.run() fakesnort2.run() insertion_port1 = BM.get_iface_for_port('bridge-000-001', 1) insertion_port2 = BM.get_iface_for_port('bridge-000-001', 4) insertion1 = api.add_l2insertion() insertion1.srv_port(service_port1.vport_id) insertion1.port(insertion_port1.vport_id) insertion1.position(1) insertion1.fail_open(False) insertion1.vlan(1) insertion1.mac(insertion_port1.get_mac_addr()) insertion1.create() insertion2 = api.add_l2insertion() insertion2.srv_port(service_port2.vport_id) insertion2.port(insertion_port1.vport_id) insertion2.position(2) insertion2.fail_open(False) insertion2.vlan(2) insertion2.mac(insertion_port1.get_mac_addr()) insertion2.create() insertion3 = api.add_l2insertion() insertion3.srv_port(service_port1.vport_id) insertion3.port(insertion_port2.vport_id) insertion3.position(1) insertion3.fail_open(False) insertion3.vlan(3) insertion3.mac(insertion_port2.get_mac_addr()) insertion3.create() insertion4 = api.add_l2insertion() insertion4.srv_port(service_port2.vport_id) insertion4.port(insertion_port2.vport_id) insertion4.position(2) insertion4.fail_open(False) insertion4.vlan(4) insertion4.mac(insertion_port2.get_mac_addr()) insertion4.create() time.sleep(5) rcv_filter = 'ip dst %s and icmp[icmptype] == 8' % insertion_port2.get_ip() LOG.info("Sending good packet") f1 = async_assert_that(service_port1, receives(rcv_filter, within_sec(10), count=2)) f2 = async_assert_that(service_port2, receives(rcv_filter, within_sec(10), count=2)) f3 = async_assert_that(insertion_port2, receives(rcv_filter, within_sec(10))) ping_port(insertion_port1, insertion_port2, data="f00b4c") wait_on_futures([f1, f2, f3]) LOG.info("Sending dead beef") f1 = async_assert_that(service_port1, receives(rcv_filter, within_sec(10))) f2 = async_assert_that(service_port2, should_NOT_receive(rcv_filter, within_sec(10))) f3 = async_assert_that(insertion_port2, should_NOT_receive(rcv_filter, within_sec(10))) ping_port(insertion_port1, insertion_port2, data="deadbeef", should_succeed=False) wait_on_futures([f1, f2, f3]) LOG.info("Sending cafe food") f1 = async_assert_that(service_port1, receives(rcv_filter, within_sec(10))) f2 = async_assert_that(service_port2, receives(rcv_filter, within_sec(10))) f3 = async_assert_that(insertion_port2, should_NOT_receive(rcv_filter, within_sec(10))) ping_port(insertion_port1, insertion_port2, data="cafef00d", should_succeed=False) wait_on_futures([f1, f2, f3]) finally: fakesnort2.kill() fakesnort1.kill()
def test_multi_l2insertion(): """ Title: Multiple insertions on a port 2 L2 insertions on a port, each with a different bad pattern. The bad packets matching the different patterns should be blocked at different points. Verify that packets are blocked in the same order regardless of the direction. """ api = get_midonet_api() service_port1 = BM.get_iface_for_port('bridge-000-001', 2) service_port2 = BM.get_iface_for_port('bridge-000-001', 3) fakesnort1 = FakeSnort(service_port1, "deadbeef") fakesnort2 = FakeSnort(service_port2, "cafef00d") try: fakesnort1.run() fakesnort2.run() insertion_port = BM.get_iface_for_port('bridge-000-001', 1) insertion1 = api.add_l2insertion() insertion1.srv_port(service_port1.vport_id) insertion1.port(insertion_port.vport_id) insertion1.position(1) insertion1.fail_open(False) insertion1.vlan(1) insertion1.mac(insertion_port.get_mac_addr()) insertion1.create() insertion2 = api.add_l2insertion() insertion2.srv_port(service_port2.vport_id) insertion2.port(insertion_port.vport_id) insertion2.position(2) insertion2.fail_open(False) insertion2.vlan(2) insertion2.mac(insertion_port.get_mac_addr()) insertion2.create() time.sleep(5) rcv_filter = 'ether dst %s and icmp[icmptype] == 8' % insertion_port.get_mac_addr() rcv_filter_ret = 'ether src %s and icmp[icmptype] == 8' % insertion_port.get_mac_addr() other_port = BM.get_iface_for_port('bridge-000-001', 4) LOG.info("Sending good packet") f1 = async_assert_that(service_port1, receives(rcv_filter, within_sec(10))) f2 = async_assert_that(service_port2, receives(rcv_filter, within_sec(10))) f3 = async_assert_that(insertion_port, receives(rcv_filter, within_sec(10))) ping_port(other_port, insertion_port, data="f00b4c") wait_on_futures([f1, f2, f3]) LOG.info("Sending dead beef") f1 = async_assert_that(service_port1, receives(rcv_filter, within_sec(10))) f2 = async_assert_that(service_port2, should_NOT_receive(rcv_filter, within_sec(10))) f3 = async_assert_that(insertion_port, should_NOT_receive(rcv_filter, within_sec(10))) ping_port(other_port, insertion_port, data="deadbeef", should_succeed=False) wait_on_futures([f1, f2, f3]) LOG.info("Sending cafe food") f1 = async_assert_that(service_port1, receives(rcv_filter, within_sec(10))) f2 = async_assert_that(service_port2, receives(rcv_filter, within_sec(10))) f3 = async_assert_that(insertion_port, should_NOT_receive(rcv_filter, within_sec(10))) ping_port(other_port, insertion_port, data="cafef00d", should_succeed=False) wait_on_futures([f1, f2, f3]) LOG.info("Sending another good packet") f1 = async_assert_that(service_port1, receives(rcv_filter, within_sec(10))) f2 = async_assert_that(service_port2, receives(rcv_filter, within_sec(10))) f3 = async_assert_that(insertion_port, receives(rcv_filter, within_sec(10))) ping_port(other_port, insertion_port, data="beeff00d") wait_on_futures([f1, f2, f3]) LOG.info("Sending dead beef the other way") f1 = async_assert_that(service_port1, receives(rcv_filter_ret, within_sec(10))) f2 = async_assert_that(service_port2, should_NOT_receive(rcv_filter_ret, within_sec(10))) f3 = async_assert_that(other_port, should_NOT_receive(rcv_filter_ret, within_sec(10))) ping_port(insertion_port, other_port, data="deadbeef", should_succeed=False) wait_on_futures([f1, f2, f3]) LOG.info("Sending cafe food the other way") f1 = async_assert_that(service_port1, receives(rcv_filter_ret, within_sec(10))) f2 = async_assert_that(service_port2, receives(rcv_filter_ret, within_sec(10))) f3 = async_assert_that(other_port, should_NOT_receive(rcv_filter_ret, within_sec(10))) ping_port(insertion_port, other_port, data="cafef00d", should_succeed=False) wait_on_futures([f1, f2, f3]) LOG.info("Sending another good packet the other way") f1 = async_assert_that(service_port1, receives(rcv_filter_ret, within_sec(10))) f2 = async_assert_that(service_port2, receives(rcv_filter_ret, within_sec(10))) f3 = async_assert_that(other_port, receives(rcv_filter_ret, within_sec(10))) ping_port(insertion_port, other_port, data="beeff00d") wait_on_futures([f1, f2, f3]) finally: fakesnort1.kill() fakesnort2.kill()
def test_l2insertion_fail_open(): """ Title: Test insertions with fail open 2 L2 insertions on a port, each insertion with a different bad pattern. One of the insertions is set to fail open. Test both bad patterns can't get through. Take down the fail open insertion. Verify that that bad pattern can now get through. Take down the non fail open insertion. Verify that no traffic can get through. Also verify both directions """ api = get_midonet_api() service_port1 = BM.get_iface_for_port('bridge-000-001', 2) service_port2 = BM.get_iface_for_port('bridge-000-001', 3) fakesnort1 = FakeSnort(service_port1, "deadbeef") fakesnort2 = FakeSnort(service_port2, "cafef00d") try: fakesnort1.run() fakesnort2.run() insertion_port = BM.get_iface_for_port('bridge-000-001', 1) other_port = BM.get_iface_for_port('bridge-000-001', 4) insertion1 = api.add_l2insertion() insertion1.srv_port(service_port1.vport_id) insertion1.port(insertion_port.vport_id) insertion1.position(1) insertion1.fail_open(True) insertion1.vlan(1) insertion1.mac(insertion_port.get_mac_addr()) insertion1.create() insertion2 = api.add_l2insertion() insertion2.srv_port(service_port2.vport_id) insertion2.port(insertion_port.vport_id) insertion2.position(2) insertion2.fail_open(False) insertion2.vlan(2) insertion2.mac(insertion_port.get_mac_addr()) insertion2.create() time.sleep(5) rcv_filter = 'ip dst %s and icmp[icmptype] == 8' % insertion_port.get_ip( ) rcv_filter_ret = 'ip src %s and icmp[icmptype] == 8' % insertion_port.get_ip( ) LOG.info("Sending good packet") f1 = async_assert_that(service_port1, receives(rcv_filter, within_sec(10))) f2 = async_assert_that(service_port2, receives(rcv_filter, within_sec(10))) f3 = async_assert_that(insertion_port, receives(rcv_filter, within_sec(10))) ping_port(other_port, insertion_port, data="f00b4c") wait_on_futures([f1, f2, f3]) LOG.info("Sending dead beef") f1 = async_assert_that(service_port1, receives(rcv_filter, within_sec(10))) f2 = async_assert_that(service_port2, should_NOT_receive(rcv_filter, within_sec(10))) f3 = async_assert_that(insertion_port, should_NOT_receive(rcv_filter, within_sec(10))) ping_port(other_port, insertion_port, data="deadbeef", should_succeed=False) wait_on_futures([f1, f2, f3]) LOG.info("Sending cafe food") f1 = async_assert_that(service_port1, receives(rcv_filter, within_sec(10))) f2 = async_assert_that(service_port2, receives(rcv_filter, within_sec(10))) f3 = async_assert_that(insertion_port, should_NOT_receive(rcv_filter, within_sec(10))) ping_port(other_port, insertion_port, data="cafef00d", should_succeed=False) wait_on_futures([f1, f2, f3]) LOG.info("Sending dead beef the other way") f1 = async_assert_that(service_port1, receives(rcv_filter_ret, within_sec(10))) f2 = async_assert_that( service_port2, should_NOT_receive(rcv_filter_ret, within_sec(10))) f3 = async_assert_that( other_port, should_NOT_receive(rcv_filter_ret, within_sec(10))) ping_port(insertion_port, other_port, data="deadbeef", should_succeed=False) wait_on_futures([f1, f2, f3]) set_interface_admin_down(service_port1) time.sleep(5) # give midolman a chance to see it LOG.info("Sending dead beef again") f1 = async_assert_that(service_port2, receives(rcv_filter, within_sec(10))) f2 = async_assert_that(insertion_port, receives(rcv_filter, within_sec(10))) ping_port(other_port, insertion_port, data="deadbeef") wait_on_futures([f1, f2]) LOG.info("Sending dead beef the other way again") f1 = async_assert_that(service_port2, receives(rcv_filter_ret, within_sec(10))) f2 = async_assert_that(other_port, receives(rcv_filter_ret, within_sec(10))) ping_port(insertion_port, other_port, data="deadbeef") wait_on_futures([f1, f2]) LOG.info("Sending cafe food again") f1 = async_assert_that(service_port2, receives(rcv_filter, within_sec(10))) f2 = async_assert_that(insertion_port, should_NOT_receive(rcv_filter, within_sec(10))) ping_port(other_port, insertion_port, data="cafef00d", should_succeed=False) wait_on_futures([f1, f2]) set_interface_admin_down(service_port2) time.sleep(5) # nothing should get through LOG.info("Sending good packet") f1 = async_assert_that(insertion_port, should_NOT_receive(rcv_filter, within_sec(10))) ping_port(other_port, insertion_port, data="f00b4c", should_succeed=False) wait_on_futures([f1]) LOG.info("Sending good packet the other way") f1 = async_assert_that( other_port, should_NOT_receive(rcv_filter_ret, within_sec(10))) ping_port(insertion_port, other_port, data="f00b4c", should_succeed=False) wait_on_futures([f1]) finally: fakesnort2.kill() fakesnort1.kill()
def test_basic_l2insertion(): """ Title: Basic insertion functionallity L2Service insertion on 1, which redirects traffic through port 3. Good traffic should go through. Traffic that matches the bad pattern should be dropped. """ api = get_midonet_api() service_port = BM.get_iface_for_port('bridge-000-001', 2) fakesnort = FakeSnort(service_port, "deadbeef") fakesnort.run() try: insertion_port = BM.get_iface_for_port('bridge-000-001', 1) insertion = api.add_l2insertion() insertion.srv_port(service_port.vport_id) insertion.port(insertion_port.vport_id) insertion.position(1) insertion.fail_open(False) insertion.mac(insertion_port.get_mac_addr()) insertion.create() time.sleep(5) other_port = BM.get_iface_for_port('bridge-000-001', 3) rcv_filter = 'ether dst %s and icmp[icmptype] == 8' % insertion_port.get_mac_addr( ) rcv_filter_ret = 'ether src %s and icmp[icmptype] == 8' % insertion_port.get_mac_addr( ) LOG.info("Sending good packet") f1 = async_assert_that(service_port, receives(rcv_filter, within_sec(10))) f2 = async_assert_that(insertion_port, receives(rcv_filter, within_sec(10))) ping_port(other_port, insertion_port, data="f00b4c") wait_on_futures([f1, f2]) LOG.info("Sending dead beef") f1 = async_assert_that(service_port, receives(rcv_filter, within_sec(10))) f2 = async_assert_that(insertion_port, should_NOT_receive(rcv_filter, within_sec(10))) ping_port(other_port, insertion_port, data="deadbeef", should_succeed=False) wait_on_futures([f1, f2]) LOG.info("Sending another good packet") f1 = async_assert_that(service_port, receives(rcv_filter, within_sec(10))) f2 = async_assert_that(insertion_port, receives(rcv_filter, within_sec(10))) ping_port(other_port, insertion_port, data="f00b4c") wait_on_futures([f1, f2]) LOG.info("Sending bad packet the other way") f1 = async_assert_that(service_port, receives(rcv_filter_ret, within_sec(10))) f2 = async_assert_that( other_port, should_NOT_receive(rcv_filter_ret, within_sec(10))) ping_port(insertion_port, other_port, data="deadbeef", should_succeed=False) wait_on_futures([f1, f2]) LOG.info("Sending good packet the other way") f1 = async_assert_that(service_port, receives(rcv_filter_ret, within_sec(10))) f2 = async_assert_that(other_port, receives(rcv_filter_ret, within_sec(10))) ping_port(insertion_port, other_port, data="b00f00") wait_on_futures([f1, f2]) finally: fakesnort.kill()
def test_multi_l2insertion(): """ Title: Multiple insertions on a port 2 L2 insertions on a port, each with a different bad pattern. The bad packets matching the different patterns should be blocked at different points. Verify that packets are blocked in the same order regardless of the direction. """ api = get_midonet_api() service_port1 = BM.get_iface_for_port('bridge-000-001', 2) service_port2 = BM.get_iface_for_port('bridge-000-001', 3) fakesnort1 = FakeSnort(service_port1, "deadbeef") fakesnort2 = FakeSnort(service_port2, "cafef00d") try: fakesnort1.run() fakesnort2.run() insertion_port = BM.get_iface_for_port('bridge-000-001', 1) insertion1 = api.add_l2insertion() insertion1.srv_port(service_port1.vport_id) insertion1.port(insertion_port.vport_id) insertion1.position(1) insertion1.fail_open(False) insertion1.vlan(1) insertion1.mac(insertion_port.get_mac_addr()) insertion1.create() insertion2 = api.add_l2insertion() insertion2.srv_port(service_port2.vport_id) insertion2.port(insertion_port.vport_id) insertion2.position(2) insertion2.fail_open(False) insertion2.vlan(2) insertion2.mac(insertion_port.get_mac_addr()) insertion2.create() time.sleep(5) rcv_filter = 'ether dst %s and icmp[icmptype] == 8' % insertion_port.get_mac_addr( ) rcv_filter_ret = 'ether src %s and icmp[icmptype] == 8' % insertion_port.get_mac_addr( ) other_port = BM.get_iface_for_port('bridge-000-001', 4) LOG.info("Sending good packet") f1 = async_assert_that(service_port1, receives(rcv_filter, within_sec(10))) f2 = async_assert_that(service_port2, receives(rcv_filter, within_sec(10))) f3 = async_assert_that(insertion_port, receives(rcv_filter, within_sec(10))) ping_port(other_port, insertion_port, data="f00b4c") wait_on_futures([f1, f2, f3]) LOG.info("Sending dead beef") f1 = async_assert_that(service_port1, receives(rcv_filter, within_sec(10))) f2 = async_assert_that(service_port2, should_NOT_receive(rcv_filter, within_sec(10))) f3 = async_assert_that(insertion_port, should_NOT_receive(rcv_filter, within_sec(10))) ping_port(other_port, insertion_port, data="deadbeef", should_succeed=False) wait_on_futures([f1, f2, f3]) LOG.info("Sending cafe food") f1 = async_assert_that(service_port1, receives(rcv_filter, within_sec(10))) f2 = async_assert_that(service_port2, receives(rcv_filter, within_sec(10))) f3 = async_assert_that(insertion_port, should_NOT_receive(rcv_filter, within_sec(10))) ping_port(other_port, insertion_port, data="cafef00d", should_succeed=False) wait_on_futures([f1, f2, f3]) LOG.info("Sending another good packet") f1 = async_assert_that(service_port1, receives(rcv_filter, within_sec(10))) f2 = async_assert_that(service_port2, receives(rcv_filter, within_sec(10))) f3 = async_assert_that(insertion_port, receives(rcv_filter, within_sec(10))) ping_port(other_port, insertion_port, data="beeff00d") wait_on_futures([f1, f2, f3]) LOG.info("Sending dead beef the other way") f1 = async_assert_that(service_port1, receives(rcv_filter_ret, within_sec(10))) f2 = async_assert_that( service_port2, should_NOT_receive(rcv_filter_ret, within_sec(10))) f3 = async_assert_that( other_port, should_NOT_receive(rcv_filter_ret, within_sec(10))) ping_port(insertion_port, other_port, data="deadbeef", should_succeed=False) wait_on_futures([f1, f2, f3]) LOG.info("Sending cafe food the other way") f1 = async_assert_that(service_port1, receives(rcv_filter_ret, within_sec(10))) f2 = async_assert_that(service_port2, receives(rcv_filter_ret, within_sec(10))) f3 = async_assert_that( other_port, should_NOT_receive(rcv_filter_ret, within_sec(10))) ping_port(insertion_port, other_port, data="cafef00d", should_succeed=False) wait_on_futures([f1, f2, f3]) LOG.info("Sending another good packet the other way") f1 = async_assert_that(service_port1, receives(rcv_filter_ret, within_sec(10))) f2 = async_assert_that(service_port2, receives(rcv_filter_ret, within_sec(10))) f3 = async_assert_that(other_port, receives(rcv_filter_ret, within_sec(10))) ping_port(insertion_port, other_port, data="beeff00d") wait_on_futures([f1, f2, f3]) finally: fakesnort1.kill() fakesnort2.kill()
def test_basic_l2insertion(): """ Title: Basic insertion functionallity L2Service insertion on 1, which redirects traffic through port 3. Good traffic should go through. Traffic that matches the bad pattern should be dropped. """ api = get_midonet_api() service_port = BM.get_iface_for_port('bridge-000-001', 2) fakesnort = FakeSnort(service_port, "deadbeef") fakesnort.run() try: insertion_port = BM.get_iface_for_port('bridge-000-001', 1) insertion = api.add_l2insertion() insertion.srv_port(service_port.vport_id) insertion.port(insertion_port.vport_id) insertion.position(1) insertion.fail_open(False) insertion.mac(insertion_port.get_mac_addr()) insertion.create() time.sleep(5) other_port = BM.get_iface_for_port('bridge-000-001', 3) rcv_filter = 'ether dst %s and icmp[icmptype] == 8' % insertion_port.get_mac_addr() rcv_filter_ret = 'ether src %s and icmp[icmptype] == 8' % insertion_port.get_mac_addr() LOG.info("Sending good packet") f1 = async_assert_that(service_port, receives(rcv_filter, within_sec(10))) f2 = async_assert_that(insertion_port, receives(rcv_filter, within_sec(10))) ping_port(other_port, insertion_port, data="f00b4c") wait_on_futures([f1, f2]) LOG.info("Sending dead beef") f1 = async_assert_that(service_port, receives(rcv_filter, within_sec(10))) f2 = async_assert_that(insertion_port, should_NOT_receive(rcv_filter, within_sec(10))) ping_port(other_port, insertion_port, data="deadbeef", should_succeed=False) wait_on_futures([f1, f2]) LOG.info("Sending another good packet") f1 = async_assert_that(service_port, receives(rcv_filter, within_sec(10))) f2 = async_assert_that(insertion_port, receives(rcv_filter, within_sec(10))) ping_port(other_port, insertion_port, data="f00b4c") wait_on_futures([f1, f2]) LOG.info("Sending bad packet the other way") f1 = async_assert_that(service_port, receives(rcv_filter_ret, within_sec(10))) f2 = async_assert_that(other_port, should_NOT_receive(rcv_filter_ret, within_sec(10))) ping_port(insertion_port, other_port, data="deadbeef", should_succeed=False) wait_on_futures([f1, f2]) LOG.info("Sending good packet the other way") f1 = async_assert_that(service_port, receives(rcv_filter_ret, within_sec(10))) f2 = async_assert_that(other_port, receives(rcv_filter_ret, within_sec(10))) ping_port(insertion_port, other_port, data="b00f00") wait_on_futures([f1, f2]) finally: fakesnort.kill()
def test_l2insertion_with_flowstate(): """ Title: Test insertions with flow state 2 L2 insertions on a port, each with a different bad pattern. Packets are sent over DNAT so that flow state is generated and necessary to return the packet. The bad packets matching the different patterns should be blocked at different points. Verify that packets are blocked in the same order regardless of the direction. """ api = get_midonet_api() router = VTM.get_router('router-000-001') conntrack_filter = VTM.get_chain('conntrack_filter_001') router.set_inbound_filter(conntrack_filter) # Sleep here to make sure that the settings have been propagated. time.sleep(5) service_port1 = BM.get_iface_for_port('bridge-000-001', 2) service_port2 = BM.get_iface_for_port('bridge-000-001', 3) fakesnort1 = FakeSnort(service_port1, "deadbeef") fakesnort2 = FakeSnort(service_port2, "cafef00d") try: fakesnort1.run() fakesnort2.run() insertion_port = BM.get_iface_for_port('bridge-000-001', 1) other_port = BM.get_iface_for_port('bridge-000-002', 1) insertion1 = api.add_l2insertion() insertion1.srv_port(service_port1.vport_id) insertion1.port(insertion_port.vport_id) insertion1.position(1) insertion1.fail_open(False) insertion1.vlan(1) insertion1.mac(insertion_port.get_mac_addr()) insertion1.create() insertion2 = api.add_l2insertion() insertion2.srv_port(service_port2.vport_id) insertion2.port(insertion_port.vport_id) insertion2.position(2) insertion2.fail_open(False) insertion2.vlan(2) insertion2.mac(insertion_port.get_mac_addr()) insertion2.create() time.sleep(5) rcv_filter = 'ip dst %s and icmp[icmptype] == 8' % insertion_port.get_ip( ) rcv_filter_ret = 'ip src %s and icmp[icmptype] == 8' % insertion_port.get_ip( ) LOG.info("Sending good packet") f1 = async_assert_that(service_port1, receives(rcv_filter, within_sec(10))) f2 = async_assert_that(service_port2, receives(rcv_filter, within_sec(10))) f3 = async_assert_that(insertion_port, receives(rcv_filter, within_sec(10))) ping_port(other_port, insertion_port, data="f00b4c") wait_on_futures([f1, f2, f3]) LOG.info("Sending dead beef") f1 = async_assert_that(service_port1, receives(rcv_filter, within_sec(10))) f2 = async_assert_that(service_port2, should_NOT_receive(rcv_filter, within_sec(10))) f3 = async_assert_that(insertion_port, should_NOT_receive(rcv_filter, within_sec(10))) ping_port(other_port, insertion_port, data="deadbeef", should_succeed=False) wait_on_futures([f1, f2, f3]) LOG.info("Sending cafe food") f1 = async_assert_that(service_port1, receives(rcv_filter, within_sec(10))) f2 = async_assert_that(service_port2, receives(rcv_filter, within_sec(10))) f3 = async_assert_that(insertion_port, should_NOT_receive(rcv_filter, within_sec(10))) ping_port(other_port, insertion_port, data="cafef00d", should_succeed=False) wait_on_futures([f1, f2, f3]) LOG.info("Sending another good packet") f1 = async_assert_that(service_port1, receives(rcv_filter, within_sec(10))) f2 = async_assert_that(service_port2, receives(rcv_filter, within_sec(10))) f3 = async_assert_that(insertion_port, receives(rcv_filter, within_sec(10))) ping_port(other_port, insertion_port, data="beeff00d") wait_on_futures([f1, f2, f3]) finally: fakesnort1.kill() fakesnort2.kill()
def test_l2insertion_with_flowstate(): """ Title: Test insertions with flow state 2 L2 insertions on a port, each with a different bad pattern. Packets are sent over DNAT so that flow state is generated and necessary to return the packet. The bad packets matching the different patterns should be blocked at different points. Verify that packets are blocked in the same order regardless of the direction. """ api = get_midonet_api() router = VTM.get_router('router-000-001') conntrack_filter = VTM.get_chain('conntrack_filter_001') router.set_inbound_filter(conntrack_filter) # Sleep here to make sure that the settings have been propagated. time.sleep(5) service_port1 = BM.get_iface_for_port('bridge-000-001', 2) service_port2 = BM.get_iface_for_port('bridge-000-001', 3) fakesnort1 = FakeSnort(service_port1, "deadbeef") fakesnort2 = FakeSnort(service_port2, "cafef00d") try: fakesnort1.run() fakesnort2.run() insertion_port = BM.get_iface_for_port('bridge-000-001', 1) other_port = BM.get_iface_for_port('bridge-000-002', 1) insertion1 = api.add_l2insertion() insertion1.srv_port(service_port1.vport_id) insertion1.port(insertion_port.vport_id) insertion1.position(1) insertion1.fail_open(False) insertion1.vlan(1) insertion1.mac(insertion_port.get_mac_addr()) insertion1.create() insertion2 = api.add_l2insertion() insertion2.srv_port(service_port2.vport_id) insertion2.port(insertion_port.vport_id) insertion2.position(2) insertion2.fail_open(False) insertion2.vlan(2) insertion2.mac(insertion_port.get_mac_addr()) insertion2.create() time.sleep(5) rcv_filter = 'ip dst %s and icmp[icmptype] == 8' % insertion_port.get_ip() LOG.info("Sending good packet") f1 = async_assert_that(service_port1, receives(rcv_filter, within_sec(10))) f2 = async_assert_that(service_port2, receives(rcv_filter, within_sec(10))) f3 = async_assert_that(insertion_port, receives(rcv_filter, within_sec(10))) ping_port(other_port, insertion_port, data="f00b4c") wait_on_futures([f1, f2, f3]) LOG.info("Sending dead beef") f1 = async_assert_that(service_port1, receives(rcv_filter, within_sec(10))) f2 = async_assert_that(service_port2, should_NOT_receive(rcv_filter, within_sec(10))) f3 = async_assert_that(insertion_port, should_NOT_receive(rcv_filter, within_sec(10))) ping_port(other_port, insertion_port, data="deadbeef", should_succeed=False) wait_on_futures([f1, f2, f3]) LOG.info("Sending cafe food") f1 = async_assert_that(service_port1, receives(rcv_filter, within_sec(10))) f2 = async_assert_that(service_port2, receives(rcv_filter, within_sec(10))) f3 = async_assert_that(insertion_port, should_NOT_receive(rcv_filter, within_sec(10))) ping_port(other_port, insertion_port, data="cafef00d", should_succeed=False) wait_on_futures([f1, f2, f3]) LOG.info("Sending another good packet") f1 = async_assert_that(service_port1, receives(rcv_filter, within_sec(10))) f2 = async_assert_that(service_port2, receives(rcv_filter, within_sec(10))) f3 = async_assert_that(insertion_port, receives(rcv_filter, within_sec(10))) ping_port(other_port, insertion_port, data="beeff00d") wait_on_futures([f1, f2, f3]) finally: fakesnort1.kill() fakesnort2.kill()
def test_l2insertion_both_ends_protected(): """ Title: Test insertions with both ends protected 2 L2 insertions on 2 ports, each insertion with a different bad pattern. The bad packets matching the different patterns should be blocked at different insertions depending on the direction of the packet. Verify that packets are blocked in the same order regardless of the direction. """ api = get_midonet_api() service_port1 = BM.get_iface_for_port('bridge-000-001', 2) service_port2 = BM.get_iface_for_port('bridge-000-001', 3) fakesnort1 = FakeSnort(service_port1, "deadbeef") fakesnort2 = FakeSnort(service_port2, "cafef00d") try: fakesnort1.run() fakesnort2.run() insertion_port1 = BM.get_iface_for_port('bridge-000-001', 1) insertion_port2 = BM.get_iface_for_port('bridge-000-001', 4) insertion1 = api.add_l2insertion() insertion1.srv_port(service_port1.vport_id) insertion1.port(insertion_port1.vport_id) insertion1.position(1) insertion1.fail_open(False) insertion1.vlan(1) insertion1.mac(insertion_port1.get_mac_addr()) insertion1.create() insertion2 = api.add_l2insertion() insertion2.srv_port(service_port2.vport_id) insertion2.port(insertion_port1.vport_id) insertion2.position(2) insertion2.fail_open(False) insertion2.vlan(2) insertion2.mac(insertion_port1.get_mac_addr()) insertion2.create() insertion3 = api.add_l2insertion() insertion3.srv_port(service_port1.vport_id) insertion3.port(insertion_port2.vport_id) insertion3.position(1) insertion3.fail_open(False) insertion3.vlan(3) insertion3.mac(insertion_port2.get_mac_addr()) insertion3.create() insertion4 = api.add_l2insertion() insertion4.srv_port(service_port2.vport_id) insertion4.port(insertion_port2.vport_id) insertion4.position(2) insertion4.fail_open(False) insertion4.vlan(4) insertion4.mac(insertion_port2.get_mac_addr()) insertion4.create() time.sleep(5) rcv_filter = 'ip dst %s and icmp[icmptype] == 8' % insertion_port2.get_ip( ) rcv_filter_ret = 'ip src %s and icmp[icmptype] == 8' % insertion_port2.get_ip( ) LOG.info("Sending good packet") f1 = async_assert_that(service_port1, receives(rcv_filter, within_sec(10), count=2)) f2 = async_assert_that(service_port2, receives(rcv_filter, within_sec(10), count=2)) f3 = async_assert_that(insertion_port2, receives(rcv_filter, within_sec(10))) ping_port(insertion_port1, insertion_port2, data="f00b4c") wait_on_futures([f1, f2, f3]) LOG.info("Sending dead beef") f1 = async_assert_that(service_port1, receives(rcv_filter, within_sec(10))) f2 = async_assert_that(service_port2, should_NOT_receive(rcv_filter, within_sec(10))) f3 = async_assert_that(insertion_port2, should_NOT_receive(rcv_filter, within_sec(10))) ping_port(insertion_port1, insertion_port2, data="deadbeef", should_succeed=False) wait_on_futures([f1, f2, f3]) LOG.info("Sending cafe food") f1 = async_assert_that(service_port1, receives(rcv_filter, within_sec(10))) f2 = async_assert_that(service_port2, receives(rcv_filter, within_sec(10))) f3 = async_assert_that(insertion_port2, should_NOT_receive(rcv_filter, within_sec(10))) ping_port(insertion_port1, insertion_port2, data="cafef00d", should_succeed=False) wait_on_futures([f1, f2, f3]) finally: fakesnort2.kill() fakesnort1.kill()
def test_l2insertion_fail_open(): """ Title: Test insertions with fail open 2 L2 insertions on a port, each insertion with a different bad pattern. One of the insertions is set to fail open. Test both bad patterns can't get through. Take down the fail open insertion. Verify that that bad pattern can now get through. Take down the non fail open insertion. Verify that no traffic can get through. Also verify both directions """ api = get_midonet_api() service_port1 = BM.get_iface_for_port('bridge-000-001', 2) service_port2 = BM.get_iface_for_port('bridge-000-001', 3) fakesnort1 = FakeSnort(service_port1, "deadbeef") fakesnort2 = FakeSnort(service_port2, "cafef00d") try: fakesnort1.run() fakesnort2.run() insertion_port = BM.get_iface_for_port('bridge-000-001', 1) other_port = BM.get_iface_for_port('bridge-000-001', 4) insertion1 = api.add_l2insertion() insertion1.srv_port(service_port1.vport_id) insertion1.port(insertion_port.vport_id) insertion1.position(1) insertion1.fail_open(True) insertion1.vlan(1) insertion1.mac(insertion_port.get_mac_addr()) insertion1.create() insertion2 = api.add_l2insertion() insertion2.srv_port(service_port2.vport_id) insertion2.port(insertion_port.vport_id) insertion2.position(2) insertion2.fail_open(False) insertion2.vlan(2) insertion2.mac(insertion_port.get_mac_addr()) insertion2.create() time.sleep(5) rcv_filter = 'ip dst %s and icmp[icmptype] == 8' % insertion_port.get_ip() rcv_filter_ret = 'ip src %s and icmp[icmptype] == 8' % insertion_port.get_ip() LOG.info("Sending good packet") f1 = async_assert_that(service_port1, receives(rcv_filter, within_sec(10))) f2 = async_assert_that(service_port2, receives(rcv_filter, within_sec(10))) f3 = async_assert_that(insertion_port, receives(rcv_filter, within_sec(10))) ping_port(other_port, insertion_port, data="f00b4c") wait_on_futures([f1, f2, f3]) LOG.info("Sending dead beef") f1 = async_assert_that(service_port1, receives(rcv_filter, within_sec(10))) f2 = async_assert_that(service_port2, should_NOT_receive(rcv_filter, within_sec(10))) f3 = async_assert_that(insertion_port, should_NOT_receive(rcv_filter, within_sec(10))) ping_port(other_port, insertion_port, data="deadbeef", should_succeed=False) wait_on_futures([f1, f2, f3]) LOG.info("Sending cafe food") f1 = async_assert_that(service_port1, receives(rcv_filter, within_sec(10))) f2 = async_assert_that(service_port2, receives(rcv_filter, within_sec(10))) f3 = async_assert_that(insertion_port, should_NOT_receive(rcv_filter, within_sec(10))) ping_port(other_port, insertion_port, data="cafef00d", should_succeed=False) wait_on_futures([f1, f2, f3]) LOG.info("Sending dead beef the other way") f1 = async_assert_that(service_port1, receives(rcv_filter_ret, within_sec(10))) f2 = async_assert_that(service_port2, should_NOT_receive(rcv_filter_ret, within_sec(10))) f3 = async_assert_that(other_port, should_NOT_receive(rcv_filter_ret, within_sec(10))) ping_port(insertion_port, other_port, data="deadbeef", should_succeed=False) wait_on_futures([f1, f2, f3]) set_interface_admin_down(service_port1) time.sleep(5) # give midolman a chance to see it LOG.info("Sending dead beef again") f1 = async_assert_that(service_port2, receives(rcv_filter, within_sec(10))) f2 = async_assert_that(insertion_port, receives(rcv_filter, within_sec(10))) ping_port(other_port, insertion_port, data="deadbeef") wait_on_futures([f1, f2]) LOG.info("Sending dead beef the other way again") f1 = async_assert_that(service_port2, receives(rcv_filter_ret, within_sec(10))) f2 = async_assert_that(other_port, receives(rcv_filter_ret, within_sec(10))) ping_port(insertion_port, other_port, data="deadbeef") wait_on_futures([f1, f2]) LOG.info("Sending cafe food again") f1 = async_assert_that(service_port2, receives(rcv_filter, within_sec(10))) f2 = async_assert_that(insertion_port, should_NOT_receive(rcv_filter, within_sec(10))) ping_port(other_port, insertion_port, data="cafef00d", should_succeed=False) wait_on_futures([f1, f2]) set_interface_admin_down(service_port2) time.sleep(5) # nothing should get through LOG.info("Sending good packet") f1 = async_assert_that(insertion_port, should_NOT_receive(rcv_filter, within_sec(10))) ping_port(other_port, insertion_port, data="f00b4c", should_succeed=False) wait_on_futures([f1]) LOG.info("Sending good packet the other way") f1 = async_assert_that(other_port, should_NOT_receive(rcv_filter_ret, within_sec(10))) ping_port(insertion_port, other_port, data="f00b4c", should_succeed=False) wait_on_futures([f1]) finally: fakesnort2.kill() fakesnort1.kill()
def __init__(self, filename=None, data=None, midonet_api=None): self._data = self._get_data(filename, data) if not midonet_api: self._api = get_midonet_api()